[3.13.y-ckt stable] Patch "ipv4: Avoid crashing in ip_error" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Wed Jun 17 21:27:52 UTC 2015 

This is a note to let you know that I have just added a patch titled

    ipv4: Avoid crashing in ip_error

to the linux-3.13.y-queue branch of the 3.13.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11-ckt22.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 5fb1c73e10c615610115785877f0c422efc0f2df Mon Sep 17 00:00:00 2001
From: "Eric W. Biederman" <ebiederm at xmission.com>
Date: Fri, 22 May 2015 04:58:12 -0500
Subject: ipv4: Avoid crashing in ip_error

commit 381c759d9916c42959515ad34a6d467e24a88e93 upstream.

ip_error does not check if in_dev is NULL before dereferencing it.

IThe following sequence of calls is possible:
CPU A                          CPU B
ip_rcv_finish
    ip_route_input_noref()
        ip_route_input_slow()
                               inetdev_destroy()
    dst_input()

With the result that a network device can be destroyed while processing
an input packet.

A crash was triggered with only unicast packets in flight, and
forwarding enabled on the only network device.   The error condition
was created by the removal of the network device.

As such it is likely the that error code was -EHOSTUNREACH, and the
action taken by ip_error (if in_dev had been accessible) would have
been to not increment any counters and to have tried and likely failed
to send an icmp error as the network device is going away.

Therefore handle this weird case by just dropping the packet if
!in_dev.  It will result in dropping the packet sooner, and will not
result in an actual change of behavior.

Fixes: 251da4130115b ("ipv4: Cache ip_error() routes even when not forwarding.")
Reported-by: Vittorio Gambaletta <linuxbugs at vittgam.net>
Tested-by: Vittorio Gambaletta <linuxbugs at vittgam.net>
Signed-off-by: Vittorio Gambaletta <linuxbugs at vittgam.net>
Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
Acked-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 net/ipv4/route.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 01176f0..758a85d 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -917,6 +917,10 @@ static int ip_error(struct sk_buff *skb)
 	bool send;
 	int code;

+	/* IP on this device is disabled. */
+	if (!in_dev)
+		goto out;
+
 	net = dev_net(rt->dst.dev);
 	if (!IN_DEV_FORWARD(in_dev)) {
 		switch (rt->dst.error) {
--
1.9.1

More information about the kernel-team mailing list